TechSpot

Did I successfully remove malware?

By compdolt
Dec 11, 2010
  1. I turned on my computer today and a program popped up that said it was "scanning for viruses" and proceeded to "complete a scan" that found 34 "viruses" at which point the screen turned blue (with white 1's and 0's) with a message that said:

    "all of your informantion is permanently stored on your hard drive! Download virus protection now."

    Needless to say, I realized that my morning was not going to go as planned. I searched and found the 8-steps for removal, but not until after I scanned and removed some malware with Spybot Search & Destroy. In addition to the 8-steps I also ran Adaware. My computer seems to be running fine now, but I was hoping to have someone check the logs to make sure that I have killed it or if I need to do more.

    Here are my logs-- I ran the DDS program a couple of times, but could only get one of the logs to pop up.

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5296

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    12/11/2010 1:46:04 PM
    mbam-log-2010-12-11 (13-46-04).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 232317
    Time elapsed: 37 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-11 13:58:32
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
    Running: f1eip5ry.exe; Driver: C:\Users\Molly\AppData\Local\Temp\fgrdqpod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Molly at 13:59:36.21 on Sat 12/11/2010
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3001.1561 [GMT -6:00]

    SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Launch Manager\dsiwmis.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
    C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Acer\Acer VCM\RS_Service.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
    C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Acer\Acer VCM\AcerVCM.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Molly\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t
    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t
    mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Google Update] "c:\users\molly\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [LManager] c:\program files\launch manager\LManager.exe
    mRun: [PLFSetI] c:\windows\PLFSetI.exe
    mRun: [BackupManagerTray] "c:\program files\newtech infosystems\acer backup manager\BackupManagerTray.exe" -k
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
    mRun: [Acer ePower Management] c:\program files\acer\acer powersmart manager\ePowerTrayLauncher.exe
    mRun: [ODDPwr] "c:\program files\acer\optical drive power management\ODDPwr.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\users\molly\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: download.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~1\GOEC62~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\molly\appdata\roaming\mozilla\firefox\profiles\dv939qz2.default\
    FF - prefs.js: browser.startup.homepage - hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t|http://global.acer.com/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\molly\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Extension: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
    FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\molly\appdata\roaming\mozilla\firefox\profiles\dv939qz2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-11 64288]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-9 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-9 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-9 243024]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-9 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-9 308136]
    R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2009-6-15 117256]
    R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer powersmart manager\ePowerSvc.exe [2009-6-15 703008]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
    R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\newtech infosystems\acer backup manager\IScheduleSvc.exe [2009-4-1 54528]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
    R2 ODDPwrSvc;Acer ODD Power Service;c:\program files\acer\optical drive power management\ODDPWRSvc.exe [2009-6-15 118784]
    R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-6-15 237568]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-11 1153368]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-15 112128]
    R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-6-15 50176]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-6-24 30192]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
    S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-12-11 19:08:00 -------- d-----w- c:\users\molly\appdata\roaming\Malwarebytes
    2010-12-11 19:07:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-11 19:07:53 -------- d-----w- c:\progra~2\Malwarebytes
    2010-12-11 19:07:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-11 19:07:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-11 15:46:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-12-11 15:46:16 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-12-11 15:42:48 -------- d-----w- c:\users\molly\appdata\local\Sunbelt Software
    2010-12-11 15:42:25 -------- dc-h--w- c:\progra~2\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2010-12-11 15:41:50 -------- d-----w- c:\program files\Lavasoft
    2010-12-11 15:12:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-11 15:12:03 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
    2010-12-11 13:14:40 -------- d-----w- c:\progra~2\bNgOb06301

    ==================== Find3M ====================

    2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL

    ============= FINISH: 14:00:58.52 ===============



    Thanks so Much!

    ~CD
     
  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    Attach.txt part of DDS is missing. Please, post it.

    ======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. compdolt

    compdolt TS Rookie Topic Starter

    Thanks so much! I'll get started on the first step right away. I couldn't get the attach.txt part of the DSS to appear at all, only the part that I posted appeared. Did I run the program incorrectly?

    Thanks!
     
  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Attach Attach.txt to your next reply and I'll see what's going on there.
     
  5. compdolt

    compdolt TS Rookie Topic Starter

    Attatch.txt file and MBRCheck

    Sorry- ran DDS again and waited a while, the Attatch popped up after a few mins. Thanks!


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/15/2009 12:54:50 PM
    System Uptime: 12/12/2010 7:10:47 AM (0 hours ago)

    Motherboard: Acer | | Aspire 5810T
    Processor: Genuine Intel(R) CPU U2700 @ 1.30GHz | CPU | 1200/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 288 GiB total, 216.806 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    Acer Assist
    Acer Backup Manager
    Acer Crystal Eye Webcam
    Acer eRecovery Management
    Acer GridVista
    Acer PowerSmart Manager
    Acer Registration
    Acer ScreenSaver
    Acer VCM
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9
    Amazon MP3 Downloader 1.0.10
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    AVG Free 9.0
    Backup Manager Basic
    Brother HL-2040
    CCleaner
    Choice Guard
    Compatibility Pack for the 2007 Office system
    Google Chrome
    Google Desktop
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 22
    Junk Mail filter update
    Launch Manager
    MacGAMUT 2003
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Mozilla Firefox (3.6.12)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Media Maker 8
    OGA Notifier 2.0.0048.0
    OpenOffice.org 3.2
    Optical Drive Power Management
    Picasa 3
    PowerDVD
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 4.2
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer

    ==== End Of File ===========================

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Acer
    BIOS Manufacturer: INSYDE
    System Manufacturer: Acer
    System Product Name: Aspire 5810T
    Logical Drives Mask: 0x00000004

    Kernel Drivers (total 140):
    0x8204A000 \SystemRoot\system32\ntkrnlpa.exe
    0x82017000 \SystemRoot\system32\hal.dll
    0x80400000 \SystemRoot\system32\kdcom.dll
    0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x80477000 \SystemRoot\system32\PSHED.dll
    0x80488000 \SystemRoot\system32\BOOTVID.dll
    0x80490000 \SystemRoot\system32\CLFS.SYS
    0x804D1000 \SystemRoot\system32\CI.dll
    0x80601000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8067D000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8068A000 \SystemRoot\system32\drivers\acpi.sys
    0x806D0000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806D9000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806E1000 \SystemRoot\system32\drivers\pci.sys
    0x80708000 \SystemRoot\System32\drivers\partmgr.sys
    0x80717000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8071A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80724000 \SystemRoot\system32\drivers\volmgr.sys
    0x80733000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8077D000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8078D000 \SystemRoot\System32\Drivers\UBHelper.sys
    0x82609000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x826E4000 \SystemRoot\system32\drivers\atapi.sys
    0x826EC000 \SystemRoot\system32\drivers\ataport.SYS
    0x8270A000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8273C000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8274C000 \SystemRoot\system32\DRIVERS\Lbd.sys
    0x8275B000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x89E0B000 \SystemRoot\system32\drivers\ndis.sys
    0x89F16000 \SystemRoot\system32\drivers\msrpc.sys
    0x89F41000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8A00C000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8A11C000 \SystemRoot\system32\drivers\volsnap.sys
    0x8A155000 \SystemRoot\System32\Drivers\spldr.sys
    0x8A15D000 \SystemRoot\System32\Drivers\mup.sys
    0x8A16C000 \SystemRoot\System32\drivers\ecache.sys
    0x8A193000 \SystemRoot\system32\drivers\disk.sys
    0x8A1A4000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8A1C5000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8DAE0000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8DAEB000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x8DAF4000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8E400000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8ECFF000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8EDA0000 \SystemRoot\System32\drivers\watchdog.sys
    0x8EDAC000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8EDB7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8DB03000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8DB12000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8DB9F000 \SystemRoot\system32\DRIVERS\L1C60x86.sys
    0x8DE04000 \SystemRoot\system32\DRIVERS\athr.sys
    0x8DEF4000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8DF07000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x8DF11000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8DF1C000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8DF4D000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8DF4F000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8DF5A000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8DF76000 \SystemRoot\system32\Drivers\NTIDrvr.sys
    0x8DF7E000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8DF87000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8DFB6000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8EDF5000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8DBAF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8DBC6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8DBD1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8A1DB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8A1EA000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x89F7C000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x89F91000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8DFF7000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x89FA1000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8DBF4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x89FCB000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x80795000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x89FD8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8EE0A000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8F049000 \SystemRoot\system32\drivers\portcls.sys
    0x8F076000 \SystemRoot\system32\drivers\drmk.sys
    0x8F09B000 \SystemRoot\system32\drivers\IntcHdmi.sys
    0x8F0BC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8F0C5000 \SystemRoot\System32\Drivers\Null.SYS
    0x8F0CC000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8F0D3000 \SystemRoot\System32\drivers\vga.sys
    0x8F0DF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8F100000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8F108000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8F110000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8F11B000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8F129000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8E00E000 \SystemRoot\System32\drivers\tcpip.sys
    0x8E0F8000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8E113000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8E129000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8E13D000 \SystemRoot\System32\Drivers\avgtdix.sys
    0x8E177000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8E1A9000 \SystemRoot\system32\drivers\afd.sys
    0x8F132000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8E1F1000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8F148000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8F15B000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8E000000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F197000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8F1AE000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0x8F1B4000 \SystemRoot\System32\Drivers\avgldx86.sys
    0x8F1E8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x827CC000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x807CA000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x8DA00000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8FA09000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x962C0000 \SystemRoot\System32\win32k.sys
    0x8FAE4000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8FAEE000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x964E0000 \SystemRoot\System32\TSDDD.dll
    0x96500000 \SystemRoot\System32\cdd.dll
    0x8FAFD000 \SystemRoot\system32\drivers\luafv.sys
    0x8FB18000 \SystemRoot\system32\DRIVERS\irda.sys
    0x8FB36000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x8FB46000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8FB70000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x8FB7A000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x8DA0D000 \SystemRoot\system32\drivers\spsys.sys
    0x8FB8D000 \SystemRoot\system32\drivers\HTTP.sys
    0x8DABD000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x805B1000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x89FE9000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x805CA000 \SystemRoot\system32\drivers\mrxdav.sys
    0xA9C0E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA9C2D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xA9C66000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA9C7E000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA9CA6000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA9CF4000 \SystemRoot\system32\drivers\peauth.sys
    0xA9DD2000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xA9DDC000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA9DE8000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xC3405000 \??\C:\Users\Molly\AppData\Local\Temp\fgrdqpod.sys
    0xC341D000 \??\C:\Users\Molly\AppData\Local\Temp\mbr.sys
    0xC3424000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0x77500000 \Windows\System32\ntdll.dll

    Processes (total 78):
    0 System Idle Process
    4 System
    460 C:\Windows\System32\smss.exe
    528 csrss.exe
    572 C:\Windows\System32\wininit.exe
    580 csrss.exe
    592 C:\Program Files\AVG\AVG9\avgchsvx.exe
    600 C:\Program Files\AVG\AVG9\avgrsx.exe
    640 C:\Windows\System32\winlogon.exe
    684 C:\Windows\System32\services.exe
    696 C:\Windows\System32\lsass.exe
    704 C:\Windows\System32\lsm.exe
    796 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    948 C:\Windows\System32\svchost.exe
    1144 C:\Windows\System32\svchost.exe
    1340 C:\Windows\System32\svchost.exe
    1368 C:\Windows\System32\svchost.exe
    1384 C:\Windows\System32\svchost.exe
    1468 C:\Windows\System32\audiodg.exe
    1504 C:\Windows\System32\SLsvc.exe
    1528 C:\Windows\System32\svchost.exe
    1632 C:\Windows\System32\svchost.exe
    1860 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    2008 C:\Windows\System32\spoolsv.exe
    2040 C:\Windows\System32\svchost.exe
    1252 C:\Windows\System32\taskeng.exe
    1264 C:\Windows\System32\dwm.exe
    1592 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    1644 C:\Program Files\Launch Manager\dsiwmis.exe
    1672 C:\Windows\explorer.exe
    1896 C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
    1904 C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
    2156 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    2204 C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
    2236 C:\Windows\System32\svchost.exe
    2284 C:\Program Files\Acer\Acer VCM\RS_Service.exe
    2324 C:\Windows\System32\svchost.exe
    2400 C:\Program Files\AVG\AVG9\avgnsx.exe
    2428 C:\Windows\System32\svchost.exe
    2504 C:\Windows\System32\SearchIndexer.exe
    2636 C:\Program Files\AVG\AVG9\avgemc.exe
    2716 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    2900 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    2976 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    3208 unsecapp.exe
    3216 WmiPrvSE.exe
    3296 WmiPrvSE.exe
    3616 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    3624 C:\Windows\System32\igfxtray.exe
    3632 C:\Windows\System32\hkcmd.exe
    3640 C:\Windows\System32\igfxpers.exe
    3648 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    3664 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3896 C:\Windows\System32\taskeng.exe
    3948 C:\Program Files\Launch Manager\LManager.exe
    3960 C:\Windows\PLFSetI.exe
    3968 C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
    3996 C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
    4004 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    4032 C:\Program Files\AVG\AVG9\avgtray.exe
    4040 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    4048 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    4092 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    2196 C:\Program Files\Acer\Acer VCM\AcerVCM.exe
    3460 C:\Windows\System32\igfxsrvc.exe
    3876 C:\Windows\System32\wbem\unsecapp.exe
    2736 C:\Windows\System32\igfxext.exe
    3844 C:\Windows\System32\igfxsrvc.exe
    2440 C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
    2080 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    1232 C:\Windows\System32\igfxext.exe
    3404 C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
    5812 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    5904 C:\Windows\System32\wuauclt.exe
    4792 dllhost.exe
    4536 dllhost.exe
    5304 taskeng.exe
    6116 C:\Users\Molly\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200BEVT-22ZCT0, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 00DA077E92625BC67BBA239DB4218A4A12648922


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
  6. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    ...and Combofix....
     
  7. compdolt

    compdolt TS Rookie Topic Starter

    Here's Combofix!

    ComboFix 10-12-11.06 - Molly 12/12/2010 13:45:10.1.1 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3001.1936 [GMT -6:00]
    Running from: c:\users\Molly\Downloads\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

    ----- BITS: Possible infected sites -----

    hxxp://ads1.msads.net
    .
    ((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
    .

    2010-12-12 19:51 . 2010-12-12 19:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-12-11 19:08 . 2010-12-11 19:08 -------- d-----w- c:\users\Molly\AppData\Roaming\Malwarebytes
    2010-12-11 19:07 . 2010-11-29 23:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-11 19:07 . 2010-12-11 19:07 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-11 19:07 . 2010-12-11 19:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-11 19:07 . 2010-11-29 23:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-11 15:46 . 2010-12-11 15:46 -------- dc----w- c:\windows\system32\DRVSTORE
    2010-12-11 15:46 . 2010-12-03 09:05 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-12-11 15:46 . 2010-12-11 15:46 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-12-11 15:42 . 2010-12-11 15:42 -------- d-----w- c:\users\Molly\AppData\Local\Sunbelt Software
    2010-12-11 15:42 . 2010-12-11 15:42 -------- dc-h--w- c:\programdata\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
    2010-12-11 15:41 . 2010-12-11 15:46 -------- d-----w- c:\programdata\Lavasoft
    2010-12-11 15:41 . 2010-12-11 15:41 -------- d-----w- c:\program files\Lavasoft
    2010-12-11 15:12 . 2010-12-11 22:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-12-11 15:12 . 2010-12-11 15:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-11 13:14 . 2010-12-11 13:14 -------- d-----w- c:\programdata\bNgOb06301

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-15 09:50 . 2010-07-30 14:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-10 23:25 . 2010-09-10 23:25 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-24 68856]
    "Google Update"="c:\users\Molly\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-26 136176]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-12 186904]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 150552]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-11 7399968]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-04-11 1833504]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
    "LManager"="c:\program files\Launch Manager\LManager.exe" [2009-04-09 1071624]
    "PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-30 200704]
    "BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-02 249600]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2009-03-31 62760]
    "Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-05-16 440864]
    "ODDPwr"="c:\program files\Acer\Optical Drive Power Management\ODDPwr.exe" [2009-04-30 176128]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-10 30192]
    "Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    c:\users\Molly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-6-15 565248]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
    2007-11-26 18:21 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-06-12 09:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-26 135664]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-12-03 1389400]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-10 30192]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-12-03 15264]
    R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
    S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2009-04-11 117256]
    S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2009-05-16 703008]
    S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-04-02 54528]
    S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
    S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2009-04-30 118784]
    S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-02-05 237568]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
    S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-04-01 50176]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-26 03:31]

    2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-26 03:31]

    2010-12-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3715082811-1155734369-568315705-1000Core.job
    - c:\users\Molly\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-26 13:23]

    2010-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3715082811-1155734369-568315705-1000UA.job
    - c:\users\Molly\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-26 13:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    Trusted Zone: download.com
    FF - ProfilePath - c:\users\Molly\AppData\Roaming\Mozilla\Firefox\Profiles\dv939qz2.default\
    FF - prefs.js: browser.startup.homepage - hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0609&m=aspire_5810t|http://global.acer.com/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\users\Molly\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - HiddenExt: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\Molly\AppData\Roaming\Mozilla\Firefox\Profiles\dv939qz2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-12 13:51
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-12-12 13:55:25
    ComboFix-quarantined-files.txt 2010-12-12 19:55

    Pre-Run: 233,476,214,784 bytes free
    Post-Run: 232,695,234,560 bytes free

    - - End Of File - - 52020FC4F6288C7BD9D3C7EB43080DB7
     
  8. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    We'll start with fixing your MBR:
    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
  9. compdolt

    compdolt TS Rookie Topic Starter

    Hello! Sorry for the delayed response. I have been trying to complete the mbr fix, but have been unsuccessful. I am not sure if I have set the boot order properly as the screen that showed up on my computer didn't match any of the ones on the website. Here's what it was like:

    I pressed F2 to go to the startup screen, which had 5 main menus:

    Info, Main, Security, Boot, and Exit.

    The boot menu had the following options:

    1. IDEO: WDC WD 3200BEVT-22zct0
    2. IDE1:
    3. CD/DVD: MATSHITADVD-RAM UJ862AS
    4. USB FDD:
    5. Network Boot: Atheros Boot Agent
    6. USB Device:
    7. USB: CD/DVD ROM
    8. USB: CD/DVD ROM


    I tried booting the computer with #3, #7, and #8 as the first boot priority, and got as far as selecting the language. After this point I got the following message each time:

    "Can't open CD driver CDRCACH
    SHSUCDX
    Can't install, failure loading, unable to find CDR drive!
    If you have multiple CD ROM drives please remove the other CD ROM discs and try again. Otherwise your disc may be corrupt or the CD ROM driver does not correctly support your system.
    Please reboot your computer now."

    I also burned a second cd and got the same result. :p

    Thanks,
    Molly
     
  10. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    That happens...

    We'll use different method....

    If you have Vista/7 DVD...

    start with step 2

    If you don't have Vista/7 DVD...

    1. Create Vista/7 Recovery Disc.

    Option 1 :
    Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
    Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

    Option 2:
    Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
    Download Windows 7 Recovery Disc iso image: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
    Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

    2. Boot from created disk.

    Vista users. At first screen click on Repair your computer:
    [​IMG]

    Windows 7 users. At first screen click on Install now:
    [​IMG]
    Select your language and click next:
    [​IMG]
    Click the button for "Use recovery tools":
    [​IMG]

    The following applies to both, Vista and Windows 7 users.

    This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:
    [​IMG]
    After this, it will present you with a list of options including startup repair, system restore and command prompt:
    [​IMG]
    Select Command Prompt

    Type in:
    bootrec /FixMbr (<--- there is a "space" after "bootrec")
    and then press Enter

    Once completed then type Exit, press Enter and restart computer.

    Post fresh MBRCheck log.
     
  11. compdolt

    compdolt TS Rookie Topic Starter

    Sorry I have been a bit out of touch. I tried to download the recovery file, but foolishly burned the wrong windows (64 bit instead of 32 bit) on my very last cd-- and then went on a short trip and haven't been able to work on this problem. I hope to get some more discs today, but I may not be able to.

    Thanks!

    Molly
     
  12. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Thanks for keeping me updated :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...